FIN7 Threat Group Adds Two New Tools to Its Arsenal

The FIN7 threat group has added two new tools to its malware arsenal, namely BOOSTWRITE and RDFSNIFFER.

BOOSTWRITE is a dropper that decrypts and loads two payload DLLs, namely CARBANAK backdoor and RDFSNIFFER.

What’s the matter?

Researchers from FireEye have observed that the FIN7 threat group has added two new tools to its malware arsenal, namely BOOSTWRITE and RDFSNIFFER.

About BOOSTWRITE

BOOSTWRITE is an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. Researchers noted that one of the samples analyzed by them was signed by a valid Certificate Authority.

This tool is designed to be launched via abuse of the DLL search order of applications that load the legitimate ‘Dwrite.dll’ provided by the Microsoft DirectX Typography Services.

Once loaded, `DWrite.dll` connects to a hard-coded IP and port from which it retrieves a decryption key and initialization vector (IV) to decrypt two embedded payload DLLs.

“To accomplish this task, the malware first generates a random file name to be used as a text log under the current user's %TEMP% directory; this filename starts with ~rdf and is followed by a set of random numbers. Next, the malware scans its own image to find the location of a 32-byte long multi-XOR key which is used to decode data inside its body,” researchers noted.

“While these incidents have also included FIN7’s typical and long-used toolsets, such as CARBANAK and BABYMETAL, the introduction of new tools and techniques provides further evidence FIN7 is continuing to evolve in response to security enhancements,” researchers concluded.